你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
网络数据包代理
Azure 运营商关系的网络数据包代理是 Microsoft Azure 专为电信服务提供商量身定制的专用产品/服务。 借助 Azure 运营商关系的网络数据包代理,电信运营商可以高效捕获、聚合、筛选和监视其基础结构 (AON) 中的流量,从而进行深度数据包检查、流量分析和增强的网络监视。 这在电信行业很关键,因为在该行业,保持高质量服务、确保安全和遵守监管要求至关重要。 通过应用此解决方案,运营商可以更好地了解其网络流量、更有效地解决问题,并最终为其客户提供改进的服务,同时保持最高的网络安全和性能标准。
网络数据包代理 (NPB) 被设计和建模为 Microsoft.managednetworkfabric 下单独的顶级 Azure 资源管理器 (ARM) 资源。 运营商可以创建、读取、更新和删除网络 TAP、网络 TAP 规则和邻居组函数。 每个网络数据包代理具有多个资源,例如网络 TAP、邻居组和网络 TAP 规则,用于管理、筛选和转发指定流量。
启用网络数据包代理的步骤
先决条件
- NPB 设备已正确安装、堆叠和预配。 有关如何预配网络结构的过程,请参阅网络结构预配。
- 应使用专用 IP 设置相应的 vProbes
- 对于内部 vProbes,应创建具有内部网络的第 3 层隔离域。 应配置所需的连接子网,此外,还应将扩展标志设置为 NPB(在内部网络中)。 有关如何在隔离域上创建内部和外部网络并为 NPB 设置扩展标志的过程,请参阅隔离域。
- 对于网络到网络互连 (NNI) 用例,应将 NNI 创建为
NPB类型。 应在创建 NNI 期间定义适当的第 2 层和第 3 层属性。 有关如何创建网络到网络互连 (NNI) 的过程,请参阅网络结构预配。
步骤
- 创建提供匹配配置的网络 TAP 规则(仅支持内联输入方法)
- 创建定义目标的邻居组资源。
- 创建引用 Tap 规则和邻居组的网络 TAP 资源。
- 启用网络 TAP 资源。
NPB
NNF 会在启动期间自动创建此资源。
显示 NPB
此命令显示 NPB 逻辑资源的详细信息。
az networkfabric npb show --resource-group "example-rg" --resource-name "NPB1"
预期输出
{
"properties": {
"networkFabricId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabrics/example-networkFabric",
"networkDeviceIds": [
"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice"
],
"sourceInterfaceIds": [
"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice/networkInterfaces/example-networkInterface"
],
"networkTapIds": [
"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-networkTap"
],
"neighborGroupIds": [
"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup"
],
"provisioningState": "Succeeded"
},
"tags": {
"key2806": "key"
},
"location": "eastuseuap",
"id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkPacketBrokers/example-networkPacketBroker",
"name": "example-networkPacketBroker",
"type": "microsoft.managednetworkfabric/networkPacketBrokers",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-05-17T11:56:12.100Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-17T11:56:12.100Z"
}
}
网络 TAP 规则
NetworkTapRule 资源提供了提供条件和操作的筛选和转发组合的功能。
网络 TAP 规则的参数
| 参数 | 说明 | 示例 | 必须 |
|---|---|---|---|
| resource-group | 专门为 NetworkTapRule 使用适当的资源组名称 | ResourceGroupName | True |
| resource-name | 网络 Tap 的资源名称 | InternetTAPrule1 | True |
| location | Network Fabric Controller (NFC) 创建期间使用的 AzON Azure 区域 | eastus | True |
| configuration-type | 用于配置网络 Tap 规则的输入方法。 | 内联或文件 | True |
| match-configurations | 匹配配置列表。 | ||
| match-configurations/matchconfigurationName | 匹配配置块的名称 | ||
| match-configurations/sequenceNumber | 匹配配置的序列号 | ||
| match-configurations/ipAddressType | IP 地址系列 | ||
| match-configurations/matchconditions | 基于端口、协议、VLAN 和 IP 条件的动态匹配条件列表。 | ||
| match-configurations/action | 提供操作详细信息。 操作可以是删除、计数、记录、转到、重定向、镜像 | ||
| dynamic-match-configurations | 基于端口、VLAN 和 IP 的动态匹配配置列表 |
注意
必须先创建网络 Tap 规则和邻居组,然后才可在网络 Tap 中引用它们
创建网络 Tap 规则
此命令用于创建网络 Tap 规则:
az networkfabric taprule create --resource-group "example-rg" --location "westus3"--resource-name "example-networktaprule"\
--configuration-type "Inline" \
--match-configurations "[{matchConfigurationName:config1,sequenceNumber:10,ipAddressType:IPv4,matchConditions:[{encapsulationType:None,portCondition:{portType:SourcePort,layer4Protocol:TCP,ports:[100],portGroupNames:['example-portGroup1']},protocolTypes:[TCP],vlanMatchCondition:{vlans:['10'],innerVlans:['11-20']},ipCondition:{type:SourceIP,prefixType:Prefix,ipPrefixValues:['10.10.10.10/20']}}],\
actions:[{type:Drop,truncate:100,isTimestampEnabled:True,destinationId:'/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup',matchConfigurationName:match1}]}]"\
--dynamic-match-configurations"[{ipGroups:[{name:'example-ipGroup1',ipAddressType:IPv4,ipPrefixes:['10.10.10.10/30']}],vlanGroups:[{name:'example-vlanGroup',vlans:['10']}],portGroups:[{name:'example-portGroup1',ports:['100-200']}]}]"
预期输出:
{
"properties": {
"networkTapId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-taprule",
"pollingIntervalInSeconds": 30,
"lastSyncedTime": "2023-06-12T07:11:22.485Z",
"configurationState": "Succeeded",
"provisioningState": "Accepted",
"administrativeState": "Enabled",
"annotation": "annotation",
"configurationType": "Inline",
"tapRulesUrl": "",
"matchConfigurations": [
{
"matchConfigurationName": "config1",
"sequenceNumber": 10,
"ipAddressType": "IPv4",
"matchConditions": [
{
"encapsulationType": "None",
"portCondition": {
"portType": "SourcePort",
"l4Protocol": "TCP",
"ports": [
"100"
],
"portGroupNames": [
"example-portGroup1"
]
},
"protocolTypes": [
"TCP"
],
"vlanMatchCondition": {
"vlans": [
"10"
],
"innerVlans": [
"11-20"
],
"vlanGroupNames": [
"example-vlanGroup"
]
},
"ipCondition": {
"type": "SourceIP",
"prefixType": "Prefix",
"ipPrefixValues": [
"10.10.10.10/20"
],
"ipGroupNames": [
"example-ipGroup"
]
}
}
],
"actions": [
{
"type": "Drop",
"truncate": "100",
"isTimestampEnabled": "True",
"destinationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"matchConfigurationName": "match1"
}
]
}
],
"dynamicMatchConfigurations": [
{
"ipGroups": [
{
"name": "example-ipGroup1",
"ipPrefixes": [
"10.10.10.10/30"
]
}
],
"vlanGroups": [
{
"name": "example-vlanGroup",
"vlans": [
"10",
"100-200"
]
}
],
"portGroups": [
{
"name": "example-portGroup1",
"ports": [
"100-200"
]
},
{
"name": "example-portGroup2",
"ports": [
"900",
"1000-2000"
]
}
]
}
]
},
"tags": {
"keyID": "keyValue"
},
"location": "eastuseuap",
"id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTapRules/example-tapRule",
"name": "example-tapRule",
"type": "microsoft.managednetworkfabric/networkTapRules",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-06-12T07:11:22.488Z",
"lastModifiedBy": "user@mail.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-06-12T07:11:22.488Z"
}
}
显示网络 Tap 规则
此命令用于显示 IP 社区资源:
az networkfabric taprule show --resource-group "example-rg" --resource-name "example-networktaprule"
预期输出:
{
"properties": {
"networkTapId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-taprule",
"pollingIntervalInSeconds": 30,
"lastSyncedTime": "2023-06-12T07:11:22.485Z",
"configurationState": "Succeeded",
"provisioningState": "Accepted",
"administrativeState": "Enabled",
"annotation": "annotation",
"configurationType": "Inline",
"tapRulesUrl": "",
"matchConfigurations": [
{
"matchConfigurationName": "config1",
"sequenceNumber": 10,
"ipAddressType": "IPv4",
"matchConditions": [
{
"encapsulationType": "None",
"portCondition": {
"portType": "SourcePort",
"l4Protocol": "TCP",
"ports": [
"100"
],
"portGroupNames": [
"example-portGroup1"
]
},
"protocolTypes": [
"TCP"
],
"vlanMatchCondition": {
"vlans": [
"10"
],
"innerVlans": [
"11-20"
],
"vlanGroupNames": [
"example-vlanGroup"
]
},
"ipCondition": {
"type": "SourceIP",
"prefixType": "Prefix",
"ipPrefixValues": [
"10.10.10.10/20"
],
"ipGroupNames": [
"example-ipGroup"
]
}
}
],
"actions": [
{
"type": "Drop",
"truncate": "100",
"isTimestampEnabled": "True",
"destinationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"matchConfigurationName": "match1"
}
]
}
],
"dynamicMatchConfigurations": [
{
"ipGroups": [
{
"name": "example-ipGroup1",
"ipPrefixes": [
"10.10.10.10/30"
]
}
],
"vlanGroups": [
{
"name": "example-vlanGroup",
"vlans": [
"10",
"100-200"
]
}
],
"portGroups": [
{
"name": "example-portGroup1",
"ports": [
"100-200"
]
},
{
"name": "example-portGroup2",
"ports": [
"900",
"1000-2000"
]
}
]
}
]
},
"tags": {
"keyID": "keyValue"
},
"location": "eastuseuap",
"id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTapRules/example-tapRule",
"name": "example-tapRule",
"type": "microsoft.managednetworkfabric/networkTapRules",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-06-12T07:11:22.488Z",
"lastModifiedBy": "user@mail.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-06-12T07:11:22.488Z"
}
}
邻居组
邻居组资源能够对目标进行分组,以转发筛选的流量
邻居组的参数
| 参数 | 说明 | 示例 | 必须 |
|---|---|---|---|
| resource-group | 专门为 NeighborGroup 使用适当的资源组名称 | ResourceGroupName | True |
| resource-name | NeighborGroup 的资源名称 | example-Neighbor | True |
| location | 在创建 NFC 期间使用的 AzON Azure 区域 | eastus | True |
| destination | 用于转发流量的 Ipv4 或 Ipv6 目标列表 | 10.10.10.10 | True |
创建邻居组
此命令用于创建邻居组资源:
az networkfabric neighborgroup create --resource-group "example-rg" --location "westus3"
--resource-name "example-neighborgroup" --destination "{ipv4Addresses:['10.10.10.10']}"
预期输出:
{
"properties": {
"networkTapIds": [
],
"networkTapRuleIds": [
],
"destination": {
"ipv4Addresses": [
"10.10.10.10",
]
},
"provisioningState": "Succeeded",
"annotation": "annotation"
},
"tags": {
"keyID": "KeyValue"
},
"location": "eastus",
"id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"name": "example-neighborGroup",
"type": "microsoft.managednetworkfabric/neighborGroups",
"systemData": {
"createdBy": "user@mail.com",
"createdByType": "User",
"createdAt": "2023-05-23T05:49:59.193Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-23T05:49:59.194Z"
}
}
显示邻居组资源
此命令用于显示 IP 扩展社区资源:
az networkfabric neighborgroup show --resource-group "example-rg" --resource-name "example-neighborgroup"
预期输出:
{
"properties": {
"networkTapIds": [
],
"networkTapRuleIds": [
],
"destination": {
"ipv4Addresses": [
"10.10.10.10",
]
},
"provisioningState": "Succeeded",
"annotation": "annotation"
},
"tags": {
"keyID": "KeyValue"
},
"location": "eastus",
"id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"name": "example-neighborGroup",
"type": "microsoft.managednetworkfabric/neighborGroups",
"systemData": {
"createdBy": "user@mail.com",
"createdByType": "User",
"createdAt": "2023-05-23T05:49:59.193Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-23T05:49:59.194Z"
}
}
网络 TAP
网络 TAP 允许运营商定义目标和封装机制,以根据网络 TAP 规则转发筛选的流量
网络 TAP 的参数
| 参数 | 说明 | 示例 | 必须 |
|---|---|---|---|
| resource-group | 专门为网络 Tap 使用适当的资源组名称 | ResourceGroupName | True |
| resource-name | 网络 Tap 的资源名称 | NetworkTAP-Austin | True |
| location | 在创建 NFC 期间使用的 AzON Azure 区域 | eastus | True |
| network-packet-broker-id | 网络数据包代理资源的 ARMID | True | |
| polling-type | 网络 Tap 规则的轮询方法(推送或拉取) | 拉取 | True |
| destination | 目标定义 | True | |
| destination/name | 目标的名称 | ||
| destination/type | destination.IsolationDomain 或 NNI 的类型 | ||
| destination/IsolationDomainProperties | 隔离域的详细信息。 封装、邻居组 ID | 内部网络或 NNI 的 Azure 资源管理器 (ARM) ID | False |
| destinationTapRuleId | 需要应用的 Tap 规则的 ARMID | True |
注意
必须先创建网络 Tap 规则和邻居组,然后才可在网络 Tap 中引用它们
NetworkTAP 设备编程命名约定/最佳做法:
必须确保这些字段集名称(vlanGroupNames、ipGroupNames、PortGroupNames)中的配置和值是唯一的,并且不会相互冲突。
建议:
唯一字段集名称:如果字段集内容不同,则跨 NetworkTAPRules 的字段集名称必须是唯一的。
唯一资源名称:NetworkTAP 和 NetworkTAPRule 资源名称在 Fabric 中的资源组之间必须是唯一的。
区域资源创建:NetworkTAP 和 NetworkTAPRule 资源必须在区域中创建,并与区域中的相应 Fabric 相关联。
目标名称修改:目标名称对于定义的网络 tap 规则目标配置是唯一的。 将网络 tap 配置推送到设备后,无法修改目标名称。
创建网络 TAP
此命令可创建网络 Tap 资源:
az networkfabric tap create --resource-group "example-rg" --location "westus3" \
--resource-name "example-networktap" \
--network-packet-broker-id "/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkPacketBrokers/example-networkPacketBroker" \
--polling-type "Pull"\
--destinations "[{name:'example-destinationName',destinationType:IsolationDomain,destinationId:'/subscriptions/xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/l3IsolationDomains/example-l3Domain/internalNetworks/example-internalNetwork',\
isolationDomainProperties:{encapsulation:None,neighborGroupIds:['/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup']},\